Costa Ricans struggled to pay taxes by hand Monday after a ransomware cyberattack took down the country’s online tax collection system.
Several Costa Rican government agencies, including the Finance Ministry, are severely hampered after an international cybercriminal gang called Conti locked their systems last month and demanded a ransom payment to make them operable again. The country’s new president, Rodrigo Chaves, declared a state of emergency last week soon after he was sworn in.
Ransomware attacks have become common in recent years, with cybercriminals often strategically attacking businesses and smaller government organizations at times when shutdowns would come at high cost to provide incentives for victims to pay.
The cybersecurity company Emsisoft has estimated that ransomware attacks cost victims more than $600 million in the U.S. last year. But the attack on Costa Rica’s government is the largest known single criminal ransomware attack to date against one country’s government.
Costa Ricans normally pay taxes through an online system, which is still inoperable with Finance Ministry networks down. The country has delayed some tax deadlines until August at the earliest because of the attack. But it’s still collecting a monthly value-added tax on sales and imports.
With no option to pay the VAT online, the Finance Ministry has instructed people to download a program called EDDI7, which works only on Windows operating systems, and then fill in their tax information, print out the forms and physically take them to government-approved banks to pay their taxes.
That system has led to a host of problems, such as customers’ waiting at banks for hours to pay on Monday, reported El Financiero, a Costa Rican financial newspaper.
Alex Vargas, a photographer who lives in a coastal area far from the capital, San José, said that because he uses only Apple Macintosh computers at his office, he had to take his business filings home to use the program on his home computer and then spend the day traveling to and from an approved bank because his local one wasn’t authorized to collect the VAT.
“The whole country is trying to pay taxes at the same time,” Vargas said in a Twitter direct message. “Going to a bank is not the problem. The problem is wasting 2 hours there or more.”
And the EDDI7 app is counterintuitive, Vargas said.
“The app looks like a program from more than 20 years ago,” he said.
Conti, one of the most notorious active cybercriminal gangs, previously locked up computer networks for Ireland’s national health care system, with estimated costs associated with the attack rising as high as 100 million euros ($105 million).
After the cyberattack on Costa Rica, the U.S. State Department offered a reward of $10 million for information leading to Conti leaders.
Chaves said Monday that Conti had collaborators working within his country’s government, according to an account of a news conference translated and reported by The Tico Times, a Costa Rican news outlet.
“We are at war and that is not an exaggeration,” Chaves said. “People inside the country are collaborating with Conti.”